If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.

Probably a thing of the past, but in the old days (NT 4) we used to use logon scripts to do that sort of thing.

I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I know that there is malware that will edit that registry entry and may even set it to "null" or blank, which I suppose is what " " is?

Keep me posted too!
Technically a null entry would be "" not " "
Sorry felt like being a pedantic dick

Originally Posted by nihil

I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.

meh, not that surprising really. A lot of malware is meant to avoid detection cleverly hide itself so a standard user does not notice it at all =P AV can only do so much and really is a minor hassle for attackers that aren't script kiddies really what with all the advanced encoding libraries out there. It makes detection via definitions a very difficult task and one that will always be a step behind at best >.<

Originally Posted by nihil

I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?

You should get the seemingly normal desktop unless the attacker doesn't want that >.< It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............

It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............

I agree, I can't quite figure out what it is supposed to achieve. Makes me wonder if there might not be another explorer.exe on the systems? Is the original still there and where it should be? AFAIK the explorer value is there by default but if it were null or blank then explorer.exe is the default shell anyway???

As for "windows being windows" that might explain the odd occurrence but not 4,000 instances or even 400?

It looks pretty deliberate to me, but who did it, how and why?

Last edited by nihil; August 4th, 2010 at 09:16 PM.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..

The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.

(rant here)

I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.

sure it would. Windows on each box, similar or identical configuration for each box, i would suspect we would see very close behavior. <@):P

I see what you are trying to say, but that would only work if all were mirrored at least in some part (the basics)?

My next move would be to take the corporate mirror image and load it onto an offnet virgin system...............then take a look?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..

The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.

(rant here)

I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.

did u test them in a VM? Some malware detects a Vm and doesnt reproduce as it would undetected.

The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.Albert Einstein